Didier Stevens

Monday 22 August 2016

Update: xor-kpa.py Version 0.0.3 With Man Page

Filed under: Encryption,My Software — Didier Stevens @ 0:00

This new version has a man page now (option -m):

Usage: xor-kpa.py [options] filename-plaintext [filename-ciphertext]
XOR known-plaintext attack

Predefined plaintext:
 dos: This program cannot be run in DOS mode

Source code put in the public domain by Didier Stevens, no Copyright
Use at your own risk
https://DidierStevens.com

Options:
  --version             show program's version number and exit
  -h, --help            show this help message and exit
  -m, --man             Print manual
  -n, --name            Use predefined plaintext
  -e EXTRA, --extra=EXTRA
                        Minimum number of extras
  -d, --decode          Decode the ciphertext

Manual:

xor-kpa performs a known-plaintext attack (KPA) on an XOR-encoded file. Take a
file with content "This is a secret message, do not share!". This file is XOR-
encoded like this: the key is ABC, the first byte of the file is XORed with A,
the second byte of the file is XORed with B, the third byte of the file is
XORed with C, the fourth byte of the file is XORed with A, the fifth byte of
the file is XORed with B, ...
If you know part of the plaintext of this file, and that plaintext is longer
than the key, then xor-kpa can recover the key.

xor-kpa tries to recover the key as follows. xor-kpa encodes the encoded file
with the provided plaintext: if you XOR-encode an XOR-encoded file
(ciphertext) again with its plaintext, then the result is the keystream (the
key repeated): ABCABCABC... xor-kpa detects such keystreams and extracts the
key.

Example:
 xor-kpa.py "#secret message" encoded.txt
Output:
 Key:       ABC
 Extra:     11
 Keystream: BCABCABCABCABC

In this example, we assume that the plaintext contains "secret message". xor-
kpa finds one keystream: BCABCABCABCABC. From this keystream, xor-kpa extracts
the key: ABC.
Extra is the number of extra charecters in the keystream: the keystream is 14
characters longh, the key is 3 characters long, so extra is 14 - 3 = 11. It is
a measure for the probability that the recovered key is the actual key. The
longer it is, the better.
In this case, because the ciphertext is a small file, xor-kpa found only one
keystream. But for larger files or small plaintext, it will identify more than
one potential keystream.

Example:
 xor-kpa.py #secret encoded.txt
Output:
 Key:       ABC
 Extra:     3
 Keystream: BCABCA

 Key:       'KUW^'
 Extra:     1
 Keystream: '^KUW^'

 Key:       'S@E'
 Extra:     1
 Keystream: 'S@ES'

In this example, xor-kpa has identified 3 potential keys. The potential keys
are sorted by descending extra-value. So the most promising keys are listed
first.
Keystreams with an extra value of 1 (1 extra character) rarely contain the
correct key.
Option -e (--extra) allows us to reduce the amount of displayed potential keys
by specifying the minimum value for extras.

Example:
 xor-kpa.py -e 2 #secret encoded.txt
Output:
 Key:       ABC
 Extra:     3
 Keystream: BCABCA

With option -e 2 we specify that the keystream must at least have 2 extras.
That's why the keystreams with 1 extra are not listed.

xor-kpa can also decode the ciphertext file with the recovered key (the key
with the highest extra value). Use option -d (--decode) to do this:

Example:
 xor-kpa.py -d #secret encoded.txt
Output:
 This is a secret message, do not share!

xor-kpa takes one or two arguments. The first argument is a file containing
the plaintext, the second argument is a file containing the ciphertext.
xor-kpa can also read the ciphertext from stdin (for example via a pipe), in
that case the second argument is omitted.
The files can also be ZIP files containing one file (optionally password-
protected with 'infected'), in that case xor-kpa will decompress the content
of the ZIP file and use it.

In stead of putting the plaintext or the ciphertext in a file, it can also be
passed in the argument. To achieve this, precede the text with character #
(this is what we have done in all the examples up till now).
If the text to pass via the argument contains control characters or non-
printable characters, hexadecimal (#h#) or base64 (#b#) can be used.

Example:
 xor-kpa.py -d #h#736563726574 encoded.txt
Output:
 This is a secret message, do not share!

Example:
 xor-kpa.py -d #b#c2VjcmV0 encoded.txt
Output:
 This is a secret message, do not share!

Finally, the plaintext can be selected from a predefined list. For the moment,
the only text in the predefined list is 'This program cannot be run in DOS
mode', identified by the keyword dos. Use option -n (--name) to use predefined
plaintext.

Example:
 xor-kpa.py -n dos malware.vir



xor-kpa_V0_0_3.zip (https)
MD5: 228B9DE1D3005F75190113369A91E1D4
SHA256: A30C20668BA0939DD936BB2706AEC636E5260EFB0B0F16F4770F9B1B59E780A9

Monday 8 August 2016

Howto CreateCertGUI: Create Your Own Certificate On Windows (OpenSSL Library)

Filed under: Encryption,My Software — Didier Stevens @ 0:00

I created a program with a graphical user interface to create a simple certificate. This program uses the OpenSSL library. Extract the program from the zip file (below) and run it:

20160807-232138

You don’t have to install any dependencies, everything is linked into the program.

If you need more help, here is a video:

Download:

CreateCertGUI_V1_0_0_1.zip (https)
MD5: F5400736E7E38F30D35A02FEB6D99651
SHA256: 82D59AC494FEF1A8B219C591717359712C19E8845D02A457017045A9A4C3D989

And if you are interested, here is the source code:

CreateCertGUI_source_V1_0_0_1.zip (https)
MD5: 790CA083407032434A8DA1FF8AC1E512
SHA256: B15BB8A3504EF56D1C6C84CA181FFB6E5A73956EC79757C62B87B520C136AA2D

Tuesday 2 August 2016

rtfdump: Update And Videos

Filed under: maldoc,My Software,Update — Didier Stevens @ 0:00

I made a small update to rtfdump and added new rules to rtf.yara.

This video is an intro to rtfdump:

This is a video on an RTF maldoc (MD5 07884483f95ae891845caf0d50ce507f) that contains an exploit for MS12-027 CVE-2012-0158:

This is a video on an RTF maldoc (MD5 4483ad299158eb54f6ff58b5346a36ee) that contains an exploit for MS10-087 CVE-2010-3333:

rtfdump_V0_0_3.zip (https)
MD5: 59DC23EE55F76C065A2A718DDFDB0E4E
SHA256: 46F9D768C6976AD5D4018EFDFD35DAE4212FEAE57871434A33CAEF028CB4CBA2

Sunday 31 July 2016

Update: re-search Version 0.0.2

Filed under: My Software,Update — Didier Stevens @ 0:00

This is a small update for re-search.py to properly handle binary files.

re-search_V0_0_2.zip (https)
MD5: FC921EAF48774B6E113FAE76867B69E1
SHA256: B07BF53FE476E6FC4D5B568BA2B0B70DD3BC037478A2CBF3A08A1AA6CCDD402C

Saturday 30 July 2016

Bugfix: pdf-parser Version 0.6.5

Filed under: My Software,PDF,Update — Didier Stevens @ 16:19

This is a bugfix for pdf-parser. Streams were not properly extracted when they started with whitespace after the normal whitespace following the stream keyword.

pdf-parser_V0_6_5.zip (https)
MD5: 7F0880EB8A954979CA0ADAB2087E1C55
SHA256: E7D2CCA12CC43D626C53873CFF0BC0CE2875330FD5DBC8FB23B07396382DCC85

Friday 29 July 2016

Releasing rtfdump.py

Filed under: maldoc,My Software — Didier Stevens @ 8:59

Today I’m releasing my rtfdump.py tool to analyze RTF documents. I started working on it about a year ago, but I didn’t like the direction it took me in, and stopped working on it. About a week ago I started again with new samples, and I’m more satisfied now with the result.

I will post more information later. But if you want to get an idea how to use my tool, take a look at this analysis in SANS ISC Diary.

rtfdump_V0_0_2.zip (https)
MD5: 368CCACC556E283D5E1759ED5E164BFF
SHA256: DA9B0AB231B1ADBC1083FC0F915A789EF19A5F7540C317CFA80BF3DE038C7952

Saturday 16 July 2016

Tool To Generate Hashcat Toggle Rules

Filed under: My Software — Didier Stevens @ 0:00

generate-hashcat-toggle-rules.py is a Python program to generate hashcat toggle rules. Toggle rules toggle the case of letters in words present in a dictionary.

Hashcat comes with toggle rule files for candidate passwords up to 15 characters long. There’s a rules file that will toggle exactly one letter (toggles1.rule), another rule file for up to two letters (toggles2.rule), three, four, and finally a rule file for up to five letters (toggles5.rule). Hashcat does not provide rules with more than five toggles, as empirical data shows that passwords chosen by users only contain a couple of uppercase letters.

These toggle rule files can also be generated with generate-hashcat-toggle-rules.py.

This command generates rules identical to toggles5.rule:

generate-hashcat-toggle-rules.py 5

 

But I want to crack NTLM hashes for randomly generated passwords, and for which I already cracked the LM hash. So I must toggle up to 14 letters. I can use the following command to generate this toggle rule file:

generate-hashcat-toggle-rules.py -n -p 14 14 > toggles-lm-ntlm.rule

-n will include rule :. This rule makes no changes (nothing) to the candidate password. This way I can run hashcat only once with the rule file. I don’t need to run hashcat with and without rule file.

-p 14 generates toggles up to position 14 (the default is up to position 15, but since LM hash passwords are maximum 14 characters long, it’s useless to generate toggles for position 15).

Here is part of this generated file toggles-lm-ntlm.rule:

:
T0
T1
T2
T3
T4
T5
T6
T7
T8
T9
TA
TB
TC
TD
T0T1
T0T2
T0T3
T0T4
T0T5
...
T1T3T4T5T6T7T8T9TATBTCTD
T2T3T4T5T6T7T8T9TATBTCTD
T0T1T2T3T4T5T6T7T8T9TATBTC
T0T1T2T3T4T5T6T7T8T9TATBTD
T0T1T2T3T4T5T6T7T8T9TATCTD
T0T1T2T3T4T5T6T7T8T9TBTCTD
T0T1T2T3T4T5T6T7T8TATBTCTD
T0T1T2T3T4T5T6T7T9TATBTCTD
T0T1T2T3T4T5T6T8T9TATBTCTD
T0T1T2T3T4T5T7T8T9TATBTCTD
T0T1T2T3T4T6T7T8T9TATBTCTD
T0T1T2T3T5T6T7T8T9TATBTCTD
T0T1T2T4T5T6T7T8T9TATBTCTD
T0T1T3T4T5T6T7T8T9TATBTCTD
T0T2T3T4T5T6T7T8T9TATBTCTD
T1T2T3T4T5T6T7T8T9TATBTCTD
T0T1T2T3T4T5T6T7T8T9TATBTCTD

The generated toggle rule file toggles-lm-ntlm.rule is included in the ZIP file:

generate-hashcat-toggle-rules_v0_0_1.zip (https)
MD5: 170F54D69C8581B9379E11E14F31C39E
SHA256: 93AE3CC8123425CEBC85D6CA4DE1ED1DD14F492AB744368729FB38D24436B5D9

Monday 13 June 2016

Update:oledump.py Version 0.0.24

Filed under: My Software,Update — Didier Stevens @ 0:00

oledump.py has the –calc option to calculate the MD5 hashes of each stream (if you need another hash algorithm, use option –extra).

This time I needed the hashes of the decompressed macro streams, and not of the raw streams. So I updated oledump.py to support using options –calc and -v together (and also option –extra and -v). When you use option –calc (or –extra) with option -v, raw macro streams (indicator m or M) will be decompressed and the hash of the decompressed macro will be calculated.

I needed this option to compare two samples that were different, but probably very similar.

Here I can see that the hashes of the macro streams are identical, hence that although I have 2 different samples, the VBA code is identical.

20160608-215121

oledump_V0_0_24.zip (https)
MD5: F1BFD24FBC72966D54C365B57E662700
SHA256: 4C175874EFDF7DB3264038BFACFD44F1B9060E834189FF3CBAA6C8EBD9D7F680

Wednesday 1 June 2016

Major Update For zipdump.py

Filed under: My Software,Update — Didier Stevens @ 0:00

I released a first, simple version of zipdump.py, a tool to analyze ZIP files and their content. But I’ve made major changes to the tool (like support for YARA) that I release today.

zipdump can also be used to pipe a sample into my other analysis tools like oledump.py.

zipdump_v0_0_3.zip (https)
MD5: 100E4B1E1E9F542EB244C9A0766C35FF
SHA256: A5219D7C88FF78A8D7C93B9EEF19D085F9FA92944CAE492F293164213329988F

Here is the man page:

 

Usage: zipdump.py [options] [zipfile]
ZIP dump utility

Options:
  --version             show program's version number and exit
  -h, --help            show this help message and exit
  -m, --man             Print manual
  -s SELECT, --select=SELECT
                        select index nr or name
  -S SEPARATOR, --separator=SEPARATOR
                        Separator character (default )
  -o OUTPUT, --output=OUTPUT
                        Output to file
  -d, --dump            perform dump of first file or selected file
  -D, --dumpall         perform dump of all files or selected file
  -x, --hexdump         perform hex dump of first file or selected file
  -X, --hexdumpall      perform hex dump of all files or selected file
  -a, --asciidump       perform ascii dump of first file or selected file
  -A, --asciidumpall    perform ascii dump of all files or selected file
  -e, --extended        report extended information
  -p PASSWORD, --password=PASSWORD
                        The ZIP password to be used (default infected)
  -y YARA, --yara=YARA  YARA rule file (or directory or @file) to check files
                        (YARA search doesn't work with -s option)
  --yarastrings         Print YARA strings
  -C DECODERS, --decoders=DECODERS
                        decoders to load (separate decoders with a comma , ;
                        @file supported)
  --decoderoptions=DECODEROPTIONS
                        options for the decoder
  -v, --verbose         verbose output with decoder errors
  -c CUT, --cut=CUT     cut data
  -r, --regular         if the ZIP file contains a single ZIP file, handle it
                        like a regular (non-ZIP) file
  -z, --zipfilename     include the filename of the ZIP file in the output
  -E EXTRA, --extra=EXTRA
                        add extra info (environment variable: ZIPDUMP_EXTRA)

Manual:

zipdump is a tool to analyze ZIP files.
The ZIP file can be provided as an argument, via stdin (piping) and it may
also be contained in a (password protected) ZIP file.

When providing zipdump with a file to analyze, it will report on the content
of the ZIP file, like in this example:
C:\Demo>zipdump.py example.zip
Index Filename     Encrypted Timestamp
    1 Dialog42.exe         0 2012-02-25 12:08:26
    2 readme.txt           0 2015-11-24 19:40:12

The first column, Index, is an index that zipdump assigns to each file inside
the ZIP file. You can use it with option -s (select) to select a file for
further analysis.
Filename is the filename of the contained file.
Encrypted is a flag indicating if the file is encrypted (1) or not (0).
And the last column (Timestamp) is the timestamp of the file inside the
archive.

Option -s takes the index number or the filename to select a file.

By default, the separator used to delimit columns is the space character. When
the default separator is used, padding is added to lign up the columns.
Another separator character can be selected with option -S. No padding is used
when the separator is provided (even if it is the space character).
C:\Demo>zipdump.py -S ; example.zip
Index;Filename;Encrypted;Timestamp;
1;Dialog42.exe;0;2012-02-25 12:08:26;
2;readme.txt;0;2015-11-24 19:40:12;

When a file is selected, the properties of this file are displayed:
C:\Demo>zipdump.py -s 1 example.zip
Index Filename     Encrypted Timestamp
    1 Dialog42.exe         0 2012-02-25 12:08:26

The content of the selected file can also be dumped.
Use option -x to perform an hexdump:
C:\Demo>zipdump.py -s 1 -x example.zip
4D 5A 50 00 02 00 00 00 04 00 0F 00 FF FF 00 00
B8 00 00 00 00 00 00 00 40 00 1A 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
...

Use option -a to perform an ascii/hexdump:
C:\Demo>zipdump.py -s 1 -a example.zip
00000000: 4D 5A 50 00 02 00 00 00 04 00 0F 00 FF FF 00 00  MZP.............
00000010: B8 00 00 00 00 00 00 00 40 00 1A 00 00 00 00 00  +.......@.......
00000020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
...

Use option -d to perform a raw dump:
C:\Demo>zipdump.py -s 2 -d example.zip
test

A raw dump is useful to pipe the output into another command:
C:\Demo>zipdump.py -s 1 -d example.zip | pecheck.py
PE check for '':
Entropy: 6.425034 (Min=0.0, Max=8.0)
MD5     hash: 9b7f8260724e2cb643ad0729ec995b40
...

When options -x, -a or -d are used without selecting a file (option -s), the
first file in the ZIP file is selected and dumped.
When options -X, -A or -D are used without selecting a file (option -s), all
files in the ZIP file are selected and dumped.

The output produced by zipdump.py can de written to a file with option -o.

If the ZIP file is password protected, zipdump.py will try with password
'infected'. Option -p can be used to provide a different password to open the
ZIP file.

If the ZIP file contains a single ZIP file, the contained ZIP file will be
considered to be the ZIP file to analyze. To prevent this, use option -r.
Option -r handles the contained ZIP file as a regular file.

Option -z can be used to include the name of the zipfile in the report:
C:\Demo>zipdump.py -z -S ; example.zip
Index;Zipfilename;Filename;Encrypted;Timestamp;
1;example.zip;Dialog42.exe;0;2012-02-25 12:08:26;
2;example.zip;readme.txt;0;2015-11-24 19:40:12;

This can be useful when reports of many ZIP files are merged together.

Option -e extends the amount of information reported:
C:\Demo>zipdump.py -e example.zip
Index Filename     Encrypted Timestamp           MD5
Filesize Entropy       Magic HEX Magic ASCII Null bytes Control bytes
Whitespace bytes Printable bytes High bytes
    1 Dialog42.exe         0 2012-02-25 12:08:26
9b7f8260724e2cb643ad0729ec995b40    58120 6.42503434625 4d5a5000  MZP.
13014          6403             1678           19366      17659
    2 readme.txt           0 2015-11-24 19:40:12
098f6bcd4621d373cade4e832627b4f6        4 1.5            74657374 test
0             0                0               4          0

Columns MD5, Filesize and Entropy should be self-explanatory.
The Magic columns (HEX and ASCII) report the first 4 bytes of the file.
The remaining columns provide more statistical data about the contained file.
They count the number of bytes of a particular type found inside the contained
file. The byte types are: null bytes, control bytes, whitespace, printable
bytes and high bytes.

If you need other data than displayed by option -e, use option -E (extra).
This option takes a parameter describing the extra data that needs to be
calculated and displayed for each file. The following variables are defined:
  %INDEX%: the index of the file
  %ZIPFILENAME%: the filename of the ZIP container
  %FILENAME%: the filename of the contained file
  %ENCRYPTED%: encrypted indicator
  %TIMESTAMP%: timestamp
  %LENGTH%': the length of the file
  %MD5%: calculates MD5 hash
  %SHA1%: calculates SHA1 hash
  %SHA256%: calculates SHA256 hash
  %ENTROPY%: calculates entropy
  %HEADHEX%: display first 20 bytes of the file as hexadecimal
  %HEADASCII%: display first 20 bytes of the file as ASCII
  %TAILHEX%: display last 20 bytes of the file as hexadecimal
  %TAILASCII%: display last 20 bytes of the file as ASCII
  %HISTOGRAM%: calculates a histogram
                 this is the prevalence of each byte value (0x00 through 0xFF)
                 at least 3 numbers are displayed separated by a comma:
                 number of values with a prevalence > 0
                 minimum values with a prevalence > 0
                 maximum values with a prevalence > 0
                 each value with a prevalence > 0
  %BYTESTATS%: calculates byte statistics
                 byte statistics are 5 numbers separated by a comma:
                 number of NULL bytes
                 number of control bytes
                 number of whitespace bytes
                 number of printable bytes
                 number of high bytes

Example adding the SHA256 hash to the report:
C:\Demo>zipdump.py -E "%SHA256%" example.zip
Index Filename     Encrypted Timestamp
    1 Dialog42.exe         0 2012-02-25 12:08:26
0a391054e50a4808553466263c9c3b63e895be02c957dbb957da3ba96670cf34
    2 readme.txt           0 2015-11-24 19:40:12
9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08

The parameter for -E may contain other text than the variables, which will be
printed. Escape characters \n and \t are supported.
Example displaying the MD5 and SHA256 hash per file, separated by a -
character:
C:\Demo>zipdump.py -E "%MD5%-%SHA256%" example.zip
Index Filename     Encrypted Timestamp
    1 Dialog42.exe         0 2012-02-25 12:08:26 9b7f8260724e2cb643ad0729ec995
b40-0a391054e50a4808553466263c9c3b63e895be02c957dbb957da3ba96670cf34
    2 readme.txt           0 2015-11-24 19:40:12 098f6bcd4621d373cade4e832627b
4f6-9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08

If the extra parameter starts with !, then it replaces the complete output
line (in stead of being appended to the output line).
Example:
C:\Demo>zipdump.py -E "!%FILENAME%;%SHA256%" example.zip
Dialog42.exe;0a391054e50a4808553466263c9c3b63e895be02c957dbb957da3ba96670cf34
readme.txt;9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08

To include extra data with each use of zipdump, define environment variable
ZIPDUMP_EXTRA with the parameter that should be passed to -E. When environment
variable ZIPDUMP_EXTRA is defined, option -E can be ommited. When option -E is
used together with environment variable ZIPDUMP_EXTRA, the parameter of option
-E is used and the environment variable is ignored.

zipdump supports YARA rules. Installation of the YARA Python module is not
mandatory if you don't use YARA rules.
You provide the YARA rules with option -y. You can provide one file with YARA
rules, an at-file (@file containing the filenames of the YARA files) or a
directory. In case of a directory, all files inside the directory are read as
YARA files.
All files inside the ZIP file are scanned with the provided YARA rules, you
can not use option -s to select an individual file.

Example:
C:\Demo>zipdump.py -y contains_pe_file.yara example.zip
Index Filename     Decoder YARA namespace        YARA rule
    1 Dialog42.exe         contains_pe_file.yara Contains_PE_File

In this example, you use YARA rule contains_pe_file.yara to find PE files
(executables) inside ZIP files. The rule triggered for file 1, because it
contains an EXE file.

If you want more information about what was detected by the YARA rule, use
option --yarastrings like in this example:
C:\Demo>zipdump.py -y contains_pe_file.yara --yarastrings example.zip
Index Filename     Decoder YARA namespace        YARA rule
    1 Dialog42.exe         contains_pe_file.yara Contains_PE_File 000000 $a
4d5a 'MZ'

YARA rule contains_pe_file detects PE files by finding string MZ followed by
string PE at the correct offset (AddressOfNewExeHeader).
The rule looks like this:
rule Contains_PE_File
{
    meta:
        author = "Didier Stevens (https://DidierStevens.com)"
        description = "Detect a PE file inside a byte sequence"
        method = "Find string MZ followed by string PE at the correct offset
(AddressOfNewExeHeader)"
    strings:
        $a = "MZ"
    condition:
        for any i in (1..#a): (uint32(@a[i] + uint32(@a[i] + 0x3C)) ==
0x00004550)
}

To deal with encoded files, zipdump supports decoders. A decoder is a type of
plugin, that will bruteforce a type of encoding on each file. For example,
decoder_xor1 will encode each file via XOR and a key of 1 byte. So
effectively, 256 different encodings of the file will be scanned by the YARA
rules. 256 encodings because: XOR key 0x00, XOR key 0x01, XOR key 0x02, ...,
XOR key 0xFF
Here is an example:
C:\Demo>zipdump.py -y contains_pe_file.yara -C decoder_xor1 example.zip
Index Filename            Decoder             YARA namespace        YARA rule
    1 Dialog42.exe                            contains_pe_file.yara
Contains_PE_File
    3 Dialog42.exe.XORx14 XOR 1 byte key 0x14 contains_pe_file.yara
Contains_PE_File

The YARA rule triggers on file 3. It contains a PE file encoded via XORing
each byte with key 0x14.

You can specify more than one decoder separated by a comma ,.
C:\Demo>zipdump.py -y contains_pe_file.yara -C
decoder_xor1,decoder_rol1,decoder_add1 example.zip

Some decoders take options, to be provided with option --decoderoptions.

Use option -v to have verbose error messages when debugging your decoders.

Option -c (--cut) allows for the partial selection of a file. Use this option
to "cut out" part of the file.
The --cut option takes an argument to specify which section of bytes to select
from the file. This argument is composed of 2 terms separated by a colon (:),
like this:
termA:termB
termA and termB can be:
- nothing (an empty string)
- a positive decimal number; example: 10
- an hexadecimal number (to be preceded by 0x); example: 0x10
- a case sensitive string to search for (surrounded by square brackets and
single quotes); example: ['MZ']
- an hexadecimal string to search for (surrounded by square brackets);
example: [d0cf11e0]
If termA is nothing, then the cut section of bytes starts with the byte at
position 0.
If termA is a number, then the cut section of bytes starts with the byte at
the position given by the number (first byte has index 0).
If termA is a string to search for, then the cut section of bytes starts with
the byte at the position where the string is first found. If the string is not
found, the cut is empty (0 bytes).
If termB is nothing, then the cut section of bytes ends with the last byte.
If termB is a number, then the cut section of bytes ends with the byte at the
position given by the number (first byte has index 0).
When termB is a number, it can have suffix letter l. This indicates that the
number is a length (number of bytes), and not a position.
termB can also be a negative number (decimal or hexademical): in that case the
position is counted from the end of the file. For example, :-5 selects the
complete file except the last 5 bytes.
If termB is a string to search for, then the cut section of bytes ends with
the last byte at the position where the string is first found. If the string
is not found, the cut is empty (0 bytes).
No checks are made to assure that the position specified by termA is lower
than the position specified by termB. This is left up to the user.
Search string expressions (ASCII and hexadecimal) can be followed by an
instance (a number equal to 1 or greater) to indicate which instance needs to
be taken. For example, ['ABC']2 will search for the second instance of string
'ABC'. If this instance is not found, then nothing is selected.
Search string expressions (ASCII and hexadecimal) can be followed by an offset
(+ or - a number) to add (or substract) an offset to the found instance. For
example, ['ABC']+3 will search for the first instance of string 'ABC' and then
select the bytes after ABC (+ 3).
Finally, search string expressions (ASCII and hexadecimal) can be followed by
an instance and an offset.
Examples:
This argument can be used to dump the first 256 bytes of a PE file located
inside the file: ['MZ']:0x100l
This argument can be used to dump the OLE file located inside the file:
[d0cf11e0]:
When this option is not used, the complete file is selected.

Sunday 29 May 2016

Update: pecheck.py Version 0.5.1

Filed under: My Software,Update — Didier Stevens @ 10:12

This version offers more info about the overlay:

20160529-115403

pecheck-v0_5_1.zip (https)
MD5: F045A67AC1ECCF129030DFCE316383A9
SHA256: 9F6EFD34455D530BD3A867FEDD40C1E9538E8B7299E538AAC73D936EDF9904EF

Next Page »

Blog at WordPress.com.

Follow

Get every new post delivered to your Inbox.

Join 454 other followers